Duqu: The Step-Brother of Stuxnet?

21 Oct 2011Virus News

The spread across the Internet of several versions of the malicious program Duqu has become a main news item in the IT Security industry. In no small part this is due to some similarities between this new worm and last year’s infamous Stuxnet worm. What is alarming in this case however is that the ultimate objective of Duqu remains unknown. Anti-malware experts at Kaspersky Lab have carried out their analysis of the new malware, the main findings of which are as follows.

The Duqu worm was first detected in early September 2011, after a user in Hungary uploaded one of the compoents of the malicious software to the Virustotal website, which analyses infected files with anti-virus programs of different manufacturers (including Kaspersky Lab’s). However, this first-detected sample of turned out to be just one of several components that make up the whole of the worm. A little later, in a similar way, the Kaspersky Lab anti-malware experts received a sample of another module of the worm via Virustotal, and it was specifically its analysis that permitted finding a resemblance with Stuxnet.

Though there are some overall similarities between the two worms Duqu and Stuxnet, there are also significant differences. Shortly after several variants of Duqu had been found, the Kaspersky Lab experts started to track in real time infection attempts by the worm among users of the cloud-based Kaspersky Security Network. What was surprising was that during the first 24 hours only one system had been infected by the worm. Stuxnet, on the other hand, infected tens of thousands of systems all around the world; it is assumed that it had, however, a single ultimate target - industrial control systems used in Iran’s nuclear programs. The ultimate target of Duqu is as yet unclear.

The only infection with the worm among users of the Kaspersky Security Network is an infection with one of the several modules that presumably make up the Duqu worm. Instances of infection by the second module, which is, in essence, a separate malicious program – a Trojan-Spy – have not yet been found. It is specifically this module of Duqu that possesses the malicious functionality - it gathers information about the infected machine and also tracks key strokes made on its keyboard.

Alexander Gostev, Chief Security Expert with Kaspersky Lab, said: “We’ve not found any instances of infections of computers of our clients with the Trojan-Spy module of Duqu. This means that Duqu may be aimed at a small quantity of specific targets, and different modules may be used to target each of them.”

One of the yet-to-be-solved mysteries of Duqu is its initial method of penetration into a system: the installer or “dropper” needed for this has not yet been found. The hunt for this module of Duqu continues, and it is specifically this module that will help us in finding the ultimate target of this malicious program.

All revealed versions of the Duqu worm at present are detected by Kaspersky Lab anti-virus products. More information about this malware can be found in the articles of Alexander Gostev and Ryan Naraine at Securelist.